News and Events in the Information Security world. Check in frequently for news, comments, opinions and guidance for InfoSec issues.
Created by Karn Griffen, Chief Technologist for Compushare, Inc. The nations leading Security, Risk, and Compliance consulting firm specializing in Financial Institutions.

Thursday, August 17, 2006

I felt like Steve Martin in "The Jerk" this morning, as I was jumping up and down in glee when the new 2006 CSI/FBI Computer Crime Survey arrived on my desk. It's not as easy to yell as "The Phonebook is here! The Phonebook is here!", but you get the point. Each year the Computer Security Institute and the San Francisco FBI Computer Intrusion Squad conduct this exciting survey. Going on 11 years, it provides interesting insights into the present state of security and also the current trends we are seeing in our industry. In this post, I'll be covering the highlights and key findings of the survey.

Budgeting

Overall expenditures in IT are hard to understand from the survey, as company size is broken out by revenue. While smaller companies under $100 million in revenue experienced a 200 to 300 percent increase in security expenditures per employee, larger companies experienced a decline in overall spending.

Companies under 10 million in annual sales are spending a whopping $1664 per employee annually on security and security training, while companies over 1 billion are averaging only $218 per employee. It seems like the evil dream of hurting Big Corporate America through cyber-crime is actually crippling the little guy.

Most respondents felt that not enough money was being budgeted for end-user security training. Companies with revenue over 1 billion spend less than $20 on end-user security awareness training. Economies of scale notwithstanding, this strikes me as exceptionally low. Isn’t the end user the greatest threat?

Frequency, Nature and Cost of BreachesThe leading causes of financial loss cited in the survey were:

68% of those losses were from insider threats. This number is down slightly, but it is clear that the problem is not solved by building a more robust perimeter. One interesting statistic in the report is that unauthorized use is down this year, to 52%. Down to 52%! 52% of the companies surveyed reported unauthorized use of their computer systems! Doesn't this bother anyone? I guess it is an improvement over the 70% finding in 2000.

While most attack types have been declining over the past 7 years of the survey, there were several attack types that were on the rise:

All of these attack types were reported by less than 20% of the respondents, but the rise in these categories is something to watch carefully.

64% of all respondents had some sort of website incident, with 59% reporting more than 10 incidents per year. There is obviously something going on here. As organizations have become better at protecting the perimeter with Firewalls, IDS and IPS systems, the remaining Achilles heel is the organization’s public web site, which must remain somewhat open for business.

We began our Deep Web Application Scanning offering in early 2005, and have seen this portion of our business grow rapidly as people of malicious intent are down to the final frontier. Attacking the web server is easy, fairly unsophisticated, and simple to perform with off-the-shelf tools.

Risk Management

Only 29% of respondents deferred any risk by using external “cyber insurance”. You would expect with all that has happened in the last 5 years that organizations would be more willing to pay for insurance. I guess we need a few more tapes with 5 million credit card numbers to disappear.

Outsourcing

Overall there was a slight decrease in IT security outsourcing. While not statically significant (63% to 61%), it is interesting given the current outsourcing trend. It appears that IT security is being considered in a different light than regular IT projects and is not riding the outsourcing wave.

Conclusion

While overall financial losses are down this year, it is still apparent that organizations are still not willing to spend on security technology that could really help them. I suspect that part of this is that many companies do not know exactly how much risk they are carrying because they have not performed a quantitative risk assessment. It is not enough to label your risk as High, Medium, Low. You need to put hard dollars on these items to understand the true impact. This also helps IT organizations in getting the funding they need. If I can reduce 2M in risk with a $50,000 patch management program, why wouldn’t I?

There is also still a definite lack of end user awareness training when it is assumed that the "user is the weakest link." Also, it is clear that the largest cause of financial loss is not the largest concern of most IT departments. Viruses only ranked 5th on the respondents list of concerns behind:

One thing I would like to see in the study covered in future years is more data on how these attacks are carried out. How many were due to poor access lists, poor administrative control, or social engineering? For instance, viruses are the leading cause of financial loss, we know that, but how are these viruses introduced into the network? Is it people clicking on e-mail links, surfing the web, or is it just poor patch management? Until you can answer those questions, it is hard to determine where an organization can realize the best reduction of risk at the least possible cost.

Wednesday, August 16, 2006

The U.S. State Department is about to begin handing out RFID-equipped passports, despite lingering security and privacy concerns.By Anne BroacheStaff Writer, CNET News.comPublished: August 16, 2006, 4:43 PM PDT

"A first wave of U.S. passports implanted with radio tags will soon begin making their way into the hands of American travelers despite lingering privacy and security concerns, federal officials said Monday.

Not long after researchers at a pair of security conferences in Las Vegas demonstrated potential risks associated with the new documents, the U.S. State Department insisted the documents are tamperproof and said it had begun producing them at the Colorado Passport Agency, which serves applicants from that state and the Rocky Mountain region.

The agency said it plans to issue the documents through the nation's other passport facilities within the next few months, as part of its original plan to make all future passports electronic by October. It was unclear how many e-passports would be mailed out this year, although a State Department representative said Monday that the agency expects to distribute a total of 13 million passports by year's end.

The new passports, which have been undergoing testing for several months and have already been issued to some U.S. diplomats, will be equipped with radio frequency identification (RFID) chips that can transmit personal information including the name, nationality, sex, date of birth, place of birth and digitized photograph of the passport holder. They employ a "multilayered approach" to protect privacy and reduce the possibility that passersby can skim data from the books, the agency said.

"The Department of State is confident that the new e-passport, including biometrics and other improvements, will take security and travel facilitation to a new level," the agency said in a statement.

State Department officials claim that a layer of metallic antiskimming material in the front cover and spine of the book can prevent information from being read from a distance, provided that the book is fully closed. The document will also employ a cryptographic technique called Basic Access Control, which means the RFID chip unveils its contents only after a reader successfully authenticates itself as being authorized to receive that information.

State Department spokesman Kurtis Cooper dismissed recent concerns raised by security researchers that the passports could nevertheless be "cloned"--that is, copied and used in a forged passport. The agency is confident that other security features built into the book would foil would-be imposters, he said.

The cloning technique demonstrated at the Las Vegas events is simple: It requires only a laptop equipped with a $200 RFID reader and a smart card programmer. The laptop's software scanned information from the RFID chip and wrote it to the smart card, which can then be embedded in a fake passport.

Security researchers have not, however, figured out how to alter the personal information, which is protected with a digital signature designed to enable unauthorized changes to be detected. Creating a fake passport therefore would be most useful to anyone who can forge the physical document and resembles the actual passport holder.

"The digital photograph of the passport holder embedded in the data page and the digital signature on the data, combined with our human U.S. border inspection process, would prevent someone from using a forged passport to gain entry into the United States," Cooper said in a telephone interview."

Ok, so we have performed our Risk Assessment, classified our assets and data so that we know what and where everything is that we are trying to protect. Next, we need to consider who needs access to the which data, and how we are going to facilitate this.

You can see how important that Risk Assessment is now. If you don't know what you are trying to protect and where it resides, you don't stand a chance.

There are two parts of Managing Employee Access. The first, is authentication, the second access.

Tuesday, August 15, 2006

To illustrate the points we have covered so far, I’d like to share a real-life story with you that happened to me a few months ago. We were hired by the CIO of a large bank in Texas to perform an internal and external penetration test and site assessment. What happened within the first 45 minutes will hopefully shock you. We have been talking about the first steps in building an Information Security Program that really works, and most importantly we are beginning to lay down the foundation of a “layered” security approach. This story will clearly illustrate why that is a good idea.

When I begin to perform a site assessment, I will usually arrive at the bank’s main administrative office 30 minutes before opening. While in the parking lot, I can easily check for wireless devices, and drive around the building looking for possible entrances. I especially look for employee entrances, designated smoking areas, and external telco closet doors. As the traffic begins to pick up in the morning, and the branch is fully open, I will attempt to “piggy-back” an employee into the institution.

So this is how I began at my client's site. After following an employee into the back door I found myself in the hallway of the building, but all the doors in the hallway were locked! Foiled. I tried the stairway, as this was a two story building, I thought I might get lucky. No luck, stairway was locked. I found the elevator, I tried to go the 2nd floor . . . no luck . . . keycarded. Next I pressed “B” for Basement. Viola! I was now heading downstairs, which, by the way, is where the data center was.

Once downstairs, I again started checking doorways. The doorway to the data center was locked and keycarded, I wasn’t going to be that lucky today! But, lo and behold, the stairway was not locked. I went into the stairway, and made my way to the second floor. On the second floor, I found the onsite hackers dream, the TRAINING ROOM! Yes! A room full of exploitable computers, just waiting for keyloggers and pstoreview (a program that gives me all of the usernames and passwords that someone has entered into Internet Explorer). Better yet, the machines were turned on, and logged in! I closed the door slightly, to gain a “moment of obscurity” as they call it in the CIA, cracked my knuckles, plugged in my USB with pstoreview and began . . .

I started with poking around the Network Neighborhood. I immediately found a server with an interesting name “mail-old”. Hmm, that looks promising. I browsed over to “mail-old” looked for some shares, found one called “users”. Went into the users folder, found the President of the Bank’s user folder, opened that (yes, I was surprised I could get this far), and found the CIOs annual performance review, complete with Salary and performance history. Total time: 30 minutes in the parking lot, 15 minutes onsite. It turns out that “mail-old” was a server that was used for a large file transfer, and then abandoned. The entire bank file system had been copied here a month earlier. Customer data, loan files, account numbers . . . all were mine for the taking. Luckily they were paying me for this.

This little story clearly identifies how a layered security model is supposed to work, and how each layer could have stopped me, or slowed me down enough to make my attempts unsuccessful. This is what security is all about – you’ll never make a system 100% secure. 100% secure = 0% usable. 100% usable = 0% secure. Somewhere in between is the right spot, but it is a continuum. Any system can be broken, as long as you have the time and resources to work on it. Our job as security experts is to increase the work factor for the attack to such high levels that attack is near impossible or not worth the effort.

In this example these are only some of the “layers” that could have thwarted my attempt:

Having a keycard that prevented access to the basement. (The stairway door had to remain open as it is the only exit from the basement.)

Training all employees to challenge un-badged or unknown people.

Calling the police when a suspicious person is sitting in the parking lot of your bank for 30 minutes with a laptop.

Segregating the Training and Production networks.

Removing old files from the network.

Keeping all file shares restricted to an “as needed” basis.

Not allowing training PCs to log in automatically.

Not leaving PCs logged in un-attended, or using auto-logoff features.

Restricting training PCs from browsing the Network Neighborhood.

The next few blogs will cover the building of the layers needed to create an Information Security Program that really works . . . .

Monday, August 14, 2006

Physical security describes measures that prevent or deter attackers from accessing a facility, resource, or information stored on physical media. It can be as simple as a locked door or as elaborate as multiple layers of armed guardposts.

The field of security engineering has identified three elements to physical security:

obstacles, to frustrate trivial attackers and delay serious ones;

alarms, security lighting, security guard patrols or closed-circuit television cameras, to make it likely that attacks will be noticed;

and security response, to repel, catch or frustrate attackers when an attack is detected.

In a well designed system, these features must complement each other. For example, the response force must be able to arrive on site in less time than it is expected that the attacker will require to breach the barriers; and persuading them that the likely costs of attack exceed the value of making the attack.

For example, ATMs (cash dispensers) are protected, not by making them invulnerable, but by spoiling the money inside when they are attacked. Attackers quickly learned that it was futile to steal or break into an ATM if all they got was worthless money covered in dye.

Conversely, safes are rated in terms of the time in minutes which a skilled, well equipped safe-breaker is expected to require to open the safe. (These ratings are developed by highly skilled safe breakers employed by insurance agencies, such as Underwriters Laboratories.) In a properly designed system, either the time between inspections by a patrolling guard should be less than that time, or an alarm response force should be able to reach it in less than that time.

Hiding the resources, or hiding the fact that resources are valuable, is also often a good idea as it will reduce the exposure to opponents and will cause further delays during an attack, but should not be relied upon as a principal means of ensuring security.

Sunday, August 13, 2006

Continuing from yesterdays post, here are the beginning steps every company must perform to begin the process of Creating an Atmosphere of Risk Management:

Perform an IT Risk Assessment. If you haven't assessed the risks within yourenvironmentt, you cannot begin to build the controls needed to adequately control them. Any policies instituted without this foundation, are at best without support. The interviewing process of a proper Risk Assessment will also help to begin the awareness that this is indeed a serious process that the corporation is 100% invested in.

Classify Your Data. The military does this well. How can you possibly control access to your data if you don't know what type of data it is. Do you have regulated data within your company that must follow certain standards? How abouHuman ResourceHR data? How about Board Minutes? Financial Data? Marketing Plans? All of these must be put into classifications. Oh, and by the way, I am not talking just about computer data, I mean ALL data. That loan file you left on your desk during lunch? Not acceptable.

Set up an IT Steering Committee. If you don't have this, you need to start one now. Besides overseeing that the mandate of Information Technology is following the strategic mission of the corporation, but this Committee is also where the standards for security should be ratified.

Set up Board Reporting. Each and every meeting of the Board of Directors should contain a time period in which the overall IT Security Risk is reported and evaluated. This futhers the top down approach needed to bring about total awareness.

Any security professional will tell you that the weakest link in security is always people. Even in the movies, how do the antagonists gain access to secure computer systems? By taking advantage of a person with trusted access. So any Information Security Program, in order to be successful, needs to start by building an “Atmosphere of Risk Management” within the organization.

This atmosphere of security is created through raising the awareness level of all employees and through the direction and example of senior management. We cannot emphasize enough, the importance of senior management’s buy-in and involvement in establishing an atmosphere or corporate culture where security is second nature to all employees.

In many of the organizations for which I perform security assessments, lack of buy-in by senior management is evident through the setup of their user accounts. More often than not, the President, CEO,and other senior managers are found to have special access privileges that include never having to change their passwords. On top of that, their passwords are among the worst in complexity, making them easily cracked by simple dictionary methods.

How can employees be expected to follow security policies and practices when it is well known that the top managers do not follow those same policies and practices? Corporate culture is created through the actions and attitudes of the organization’s managers. Therefore, the first step in creating an atmosphere of security is for senior management to adhere to , and enforce, the same policies as everyone else.

Many organizations make the mistake of combining awareness and training simply calling it security awareness training. Awareness is not training. Awareness is an ongoing process designed to focus employees’ attention on security. Awareness presentations are intended to make individuals recognize information security concerns and respond accordingly.

Effective IT security awareness presentations must be designed with the understanding that people develop a tuning-out process known as acclimation. If the same method of providing information is continually used, no matter how stimulating it is, the recipient will selectively ignore the stimulus. Therefore, awareness presentations must be ongoing, creative, and motivational. Awareness presentations should focus employees’ attention so that the information provided will be incorporated into conscious decision-making. This process where an individual incorporates new experiences into existing behavior patterns is called assimilation.

Learning attained through a single awareness activity will tend to be short-term, immediate, and specific. Repeated awareness activities spread over time improves assimilation. Another words, security awareness training performed once a year will not be assimilated into the existing behavior patterns of individuals. Information Security Officers must develop a program of ongoing security awareness in order to building atmosphere of security.

In my next post, I will cover some steps that every organization must take to begin this process . . .